Insanity Hosting

Target IP: 192.168.136.124
Challenge Description: One of the definitions of insanity is doing the same thing over and over again and expecting different results.


Reconnaissance

85af091f6d4dd946163cd6b8379cb3e3.png
Performing a TCP port scan using the command sudo nmap -sS 192.168.136.124 -p- returns the result shown in the image above. There are three TCP ports open on the target machine: FTP, SSH, and HTTP on their standard ports. Time to check them out.

158b6b33623f8fe4515d92bf9b6c93a0.png
Running an aggressive TCP port scan against the three ports using the command sudo nmap -sV -A 192.168.136.124 -p 21,22,80 returns the result shown in the image above. The FTP application, vsftpd 3.0.2, on port 21 allows anonymous login. However, there is a time out when attempting to retrieve the directory listing. The SSH on port 22 is running OpenSSH 7.4 (protocol 2.0). And finally, the web application on port 80 is using Apache httpd 2.4.6 ((CentOS) PHP/7.2.33) as the backend server. We even have the PHP version which is super useful.


Enumeration

Port 21: FTP
e75d54a08a5872bcde517802ae4b47f1.png
I logged into the FTP application using anonymous login. I ran the command passiv to avoid the timeout. I notice there is one directory called pub. However, I am not able to upload anything inside this directory. Maybe I can come back once I have possible usernames.

Port 80: HTTP
4767ddc6e6a174190001a32b8c3578bd.png
The webpage shown in the picture above is returned for this web application on port 80. Checking the email address contains the domain name insanityhosting.vm. This could be a potential hostname. I inserted this new hostname inside my /etc/hosts file. Time to enumerate further.

6df7d9f1a88eaf7cc757720dba7d5dfd.png
The login webpage shown in the picture above is returned to me when I browsed to http://insanityhosting.vm/monitoring/login.php. I found this link when reading the source-code of the main webpage. I attempted to login using default credentials such as admin:admin, but I had no luck. I tested for SQL injection, but I had no luck either. Time to perform a directory search.

956820002e115c40189d7d9616d08f3e.png
I performed a directory search using the command feroxbuster -u http://insanityhosting.vm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,zip,jpg,yml,cfg,sql -d 6 --scan-dir-listings -C 404. Some of the interesting entries are shown in the image above. These results include the /news, /monitoring, /webmail, etc.

25a17bd51bba300b526f9fe3e8a948c7.png
While the scan was running, I decided to check out some of the results. One of the result it found is http://insanityhosting.vm/news. I surfed to this page, and the webpage shown in the picture above was returned to me. This page contains the username Otis. And it looks like the application is created using the CMS Bludit. I did some further enumeration and identified any webpages in the /news/ is likely using the Bludit CMS.

9980508f18ba54d9b71cff03ae1ee6f8.png
Using the same technique, I managed to locate the login page for the CMS application at http://insanityhosting.vm/news/admin/ as shown in the picture above. I performed a further directory search using the command feroxbuster -u http://insanityhosting.vm/news/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,zip,jpg,yml,cfg,sql -d 3 --scan-dir-listings -C 404 to identify files inside the /news/ directory, but I didn't find anything useful like version files.

e5d187246d3ed779e9f7bf227887d24b.png
There is one more interesting directory found by the directory search scan: /webmail. I browsed to http://insanityhosting.vm/webmail/src/login.php and the webpage shown in the picture above was returned to me. The application name and version is SquirrelMail 1.4.22. I tried to login using default credentials such as admin:admin, admin:root, etc., but I had no luck. I checked for any useful files inside this /webmail/ directory, but I didn't find anything useful. So far I have found one username Otis, and four possible login attack vectors: FTP, Bludit CMS, SquirrelMail, and the main login page at /monitoring. I can attempt to bruteforce the password of this user across the four different services. I could technically also try it with SSH. However, I will attempt to bruteforce the mail application first.


Exploitation

Exploitation: SQL Injection Inside Server Downtime Reporting Feature (Web Application & Mail)
02eba4226d007da67e843a0133381918.png
e57e8a975c73003b333f119bf2d05b2b.png
Using Burpsuite, I intercepted a login request. And using the Intruder feature of Burpsuite, I created a simple Sniper attack. The password wordlist I used is the xato-net-10-million-passwords-1000.txt found in Seclists. I changed the payload position to the secretkey parameter, as this is the password field. And I launched the attack. After leaving it for some time. I checked the result. And the first payload with the password 123456 looked suspicious as the length is small and the HTTP status code is 302. I used the credentials otis:123456 and got a hit. This is a valid login as I gained access to the SquirrelMail application, as shown in the image above. I enumerated the mail application such as the inbox & deleted folders, but I didn't find anything. I attempted to use this exploit to read the sensitive files on the server, but I had no luck either.

acde13dc0d5f06f845519306f00124f6.png
I logged into the web application over at http://insanityhosting.vm/monitoring/login.php using the credentials otis:123456 and the webapge shown in the picture above was returned to me. It seems to be a management applications for the servers. I tested the application for some time. I added the IP of my machine to test it.

cff75974e9c5fd23e0bbceef53f99a6b.png
I notice the web application seems to ping the server in the list to check if it's alive or not every minute. I am guessing it is performing some sort of ping request on the backend. If so, it could be possible to perform command injection. I tried a bunch of different command injection techniques, but I had no luck.

869c09d46a43904e6dc2e45a880e72bd.png
When I checked the mail application again, the inbox had some emails. I checked the contents of the email and obtained the result shown above. An email is created each time if the host in the list is not pingable. This is the report functionality. I also notice the fields ID, Host, Date Time, Status in the email report. These look like database table fields. To test for the SQL injection, I can attempt to enter an invalid hostname and send the SQL payload inside the Host field. From the command injection payloads, it messed up this application and I had to reset the box.

9b167473e5ecd383d3566eec325a7806.png
Since the number of columns is four, I tested the basic payload: test" UNION SELECT 1, database(), user(), @@VERSION-- //. And bingo. I received the output, monitoring,root@localhost,5.5.65-MariaDB, as shown in the image above. The web application is vulnerable to SQL injection attacks. The database name is monitoring, application is being run as root@localhost, and the database application version is 5.5.65-MariaDB. I notice if the payload causes error output, we will have to create a new entry and insert our payload.

08242411abf7a59288cd0daf5e2214be.png
I used the SQL injection payload " UNION SELECT 'db names:', schema_name, 3, 4 from INFORMATION_SCHEMA.SCHEMATA-- // and received the output shown in the image above. There are four databases. Only the database monitoring is not a default one. Let's check what we can grab from this database.

ee79fe949dae8aa6f9ca3ecd21f982cf.png
To check what tables exist in the monitoring database, I used the SQL injection payload: " UNION SELECT 'table:', TABLE_NAME, TABLE_SCHEMA, 4 from INFORMATION_SCHEMA.TABLES where table_schema='monitoring'-- //. And I received the output shown in the picture above. There is an interesting table called users. Can I grab user credentials? Before dumping the contents of the table, I will need to check the columns.

a3461c94e8327b126534b2acea0fdb9a.png
To enumerate the columns inside the users table inside monitoring database, I used the following payload: " UNION SELECT 1, COLUMN_NAME, TABLE_NAME, TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='users'-- //. And doing so output the result shown in the image above. This table has four columns: id, username, password, and email. Time to dump the contents of the database now :)

0e1c366a1ecb6c7a6c899206fd8716a9.png
To dump the contents, I used the SQL injection payload: " UNION SELECT id, username, password, email FROM users-- //. And as shown in the image above, we have the following username and password hashes:

admin:$2y$12$huPSQmbcMvgHDkWIMnk9t.1cLoBWue3dtHf9E5cKUNcfKTOOp8cma
nicholas:$2y$12$4R6JiYMbJ7NKnuQEoQW4ruIcuRJtDRukH.Tvx52RkUfx5eloIw7Qe
otis:$2y$12$./XCeHl0/TCPW5zN/E9w0ecUUKbDomwjQ0yZqGz5tgASgZg6SIHFW
admin:$2y$12$huPSQmbcMvgHDkWIMnk9t.1cLoBWue3dtHf9E5cKUNcfKTOOp8cma
nicholas:$2y$12$4R6JiYMbJ7NKnuQEoQW4ruIcuRJtDRukH.Tvx52RkUfx5eloIw7Qe
otis:$2y$12$./XCeHl0/TCPW5zN/E9w0ecUUKbDomwjQ0yZqGz5tgASgZg6SIHFW

1b852bbfdfcd35393d08526a82117681.png
With the hashes now, I copied it over to my machine to crack it offline. I can use the cracked credentials to login to the different services, such as the SSH. I decided to enumerate further while my machine was attempting to crack the hashes. I wanted to see if this user has read and write privilegs over files on the application. Using the following payload "UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- //, I got a hit as the current user has the SUPER and FILE privileges set. I will try to attempt to read the /etc/passwd file to test.

5d718d5733918b94e746b3d8bf6e7e67.png
Using the payload " UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- //, I was able to read the /etc/passwd file on the server as shown in the image above. There are multiple users on the machine: root, otis, elliot, nicholas and monitor. Since I can read files, the obvious attack vector would be is to attempt to read the SSH key of the different users on the machine. But I had no luck. I tested for write privileges, but I had no luck either. One place I haven't check is the credentials stored inside mysql.users table.

377c299ac608a9598f2e8448ace16ab6.png
Using the payload " UNION SELECT 1, user, password, authentication_string FROM mysql.user-- //, I managed to grab the two hashes shown in the picture above. The second hash 5A5749F309CAC33B27BA94EE02168FA3C3E7A3E9 belongs to the user elliot. MariaDB allows authentication using this authentication_string.

fc6f1accd4e21a135217b8fe0962ae83.png
Using the crackstation tool online, I managed to obtain the plaintext elliot123. Now I have the credentials elliot:elliot123. From previous enumeration, this user exists on the target machine and SSH is available. I will attempt to login using this new credentials.

Foothold: SSH Access as User elliot
9b5755f45af24eeee4be5ac9fd80f15d.png
And bingo. Now I have an SSH access to the target machine as the user elliot. I logged in using the command ssh elliot@insanityhosting.vm and the password elliot123. Time to elevate my privileges :)


Privilege Escalation

Vertical Privilege Escalation: User elliot to User root via Password Decryption Inside .mozilla

010306f1279fd2afdebfdcdcdaf1d52c.png
After obtaining a shell on the target machine, I ran the command ls -la and obtained the result shown in the image above. There is a directory by the name .mozilla found inside the home directory of user elliot. Usually, this could contain credentials. However, this would be encrypted.

9277aca0097aff5d06c5fc0586ebde65.png
As shown in the image above, the directory /firefox/esmhp32w.default-default contains a file called logins.json. This file contains the encrypted credentials shown in the image above. Only way to decrypt it is to run an external tool. On the compromised machine, I ran the command tar czfP firefox.tar.gz .mozilla to create an archive file. Since I have the SSH credentials of the user elliot, I abused this to transfer files (from the target to mine) by using the command scp -r elliot@insanityhosting.vm:/home/elliot/firefox.tar.gz /tmp on my attack machine. Once the file transfer is complete, I used the good old firefox_decrypt tool which is available here to decrypt the passwords inside the logins.json. I cloned this GitHub project on my machine. A guide is provided here on how to use this firefox_decrypt tool.

d8299e4ed5da1bca6260d309765a9363.png
I extracted the archived file first on my machine. To decrypt the passwords, I ran the command python3 firefox_decrypt.py ../Mozilla/.mozilla/firefox/esmhp32w.default-default. And bingo, I obtained the credentials root:S8Y389KJqWpJuSwFqFZHwfZ3GnegUa.

064227b1e1fa7905da6bf16ba6e3240f.png
Using the command su root and the password S8Y389KJqWpJuSwFqFZHwfZ3GnegUa, I managed to successfully elevate my privileges to root access on the target machine :) Now I have a root shell.


Flags

80642e8c17f5b3b8609050cf34135f2f.png
The two flags, proof.txt and local.txt, are shown in the picture above.